Quantum-Classical Complexity-Security Tradeoff In Secure Multi-Party Computation 
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I construct a secure multi-party scheme to compute a classical function by a succinct use of a 
specially designed fault-tolerant random polynomial quantum error correction code. This scheme 
is secure provided that (asymptotically) strictly greater than five-sixths of the players are honest. 
Moreover, the security of this scheme follows directly from the theory of quantum error correcting 
code, and hence is valid without any computational assumption. I also discuss the quantum-classical 
complexity-security tradeoff in secure multi-party computation schemes and argue why a full-blown 
quantum code is necessary in my scheme. 
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I. INTRODUCTION 

Quantum computers are more powerful than classical 
computers in a number of applications such as integer 
factorization Q, database search Q and secret key dis- 
tribution lU^]. Besides, careful use of entanglement re- 
duces the multi-party communication complexity of cer- 
tain functions || and allows secret sharing ||. On the 
other hand, certain post-modern cryptographic applica- 
tions, including bit commitment [Q and ideal two-party 
secure computation || are impossible if the cheater has 
a quantum computer. Thus, it is important to inves- 
tigate the power and limitation of quantum computers. 
Moreover, the quantum versus classical and security ver- 
sus complexity tradeoffs for certain multi-party compu- 
tational tasks deserve in-depth study. 

In this Paper, I analyze the quantum versus classi- 
cal and security versus complexity tradeoffs in secure 
multi-party computation. In secure multi-party compu- 
tation, n players each with a private classical input xi 
want to compute a commonly agreed classical function 
z = f(x±,X2,---,x n ) in such a way that (i) all play- 
ers either know the value of z or abort after detecting 
a cheater/eavesdropper, (ii) no one can gain information 
on the private input of an honest player except those 
logically following z, and (iii) a limited number of cheat- 
ing players cannot alter the final outcome z. Moreover, 
the above three conditions hold even if all cheaters and 
eavesdroppers cooperate. 

Secure multi-party computation can be used as a basic 
building block for a number of extremely useful protocols 
including secure election and anonymous messages broad- 
cast. Thus, it is important to devise a secure multi-party 
computation scheme that tolerates as many cheaters as 
possible on the one hand, and requires as few communi- 
cation between the players on the other. 



Several classical secure multi-party computation 
schemes existed in literature. The security of some of 
these schemes || are based on either the security of cer- 
tain (classical) oblivious transfer or (classical) bit com- 
mitment protocols. Hence, their methods are insecure 
if a cheating player has unlimited computational power. 
Later on, Ben-Or et al. 10 and Chaum et al. fill] in- 



dependently proposed multi-party computation methods 
based on a distributed computing version of the so-called 
(fc,n)-secret sharing scheme [Q. Their schemes are un- 
conditionally secure provided that less than one third 
players cheat. This is true even when the cheaters co- 
operate. Besides, the one third cheating player bound 
is tight among all classical protocols which allow secret 
communications between any two players fic[ |. Later on, 
Rabin and Ben-Or showed that if each player can broad- 
cast a message to all other players and that each pair of 
players can communicate secretly, then there is an un- 
conditionally secure way to compute z if less than a half 
of the players cheat jL3|. The one half cheating player 
bound is tight among all classical schemes which allow 
secret communications between any two players as well 
as public broadcasting |fl3| . 

How much resources is required in classical condition- 
ally secure multi-party computation? In all classical 
schemes known to date, the n players must communi- 
cate securely with others. Hence, n(n— l)/2 classical 
secure communication channels are required. Suppose 
each player has a private input of length k, then ini- 
tially, they have to distribute their private inputs via 
certain secret sharing schemes. To do so, each player 
has to send out O(nfc) bits. Thus, 0(n 2 k) bits of (se- 
cret) classical communications are necessary for the ini- 
tial setup in the whole system. To perform distributed 
computation, up to 0(n 2 k) bits of (secret) communica- 
tions and computation per arithmetical operation are re- 
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quired |f(|[L3|. In addition, to verify that every player's 
secret input is correctly distributed in the secret shar- 
ing scheme, an extra 0(n 3 fc) bits of communications are 
needed |l^,|ll|,|l3| . Since the number of secret communi- 
cation channels scales quadratically with the number of 
players, classical secure multi-party computation is rarely 
used in practice for more than, say, ten players fll4[ . In 
fact, the classical schemes by Ben-Or et al. and Chaum 
et al., being generic, are design primarily to point out the 
plausibility of secure multi-party computation. 



II. THE QUANTUM SECURE MULTI-PARTY 
COMPUTATION SCHEME 

Now, let me report a quantum secure multi-party 
computation scheme that requires fewer communication 
channels and resources at the expense of tolerating fewer 
cheaters. Without lost of generality, I may assume that 
the private input for each player as well as the output 
of the function / are chosen from a finite field F g some 
prime q. My scheme goes as follows: 

1. All players agree on a common computational basis 
for quantum computation, an exponentially small 
security parameter e > 0, as well as two ran- 
dom polynomial quantum error correcting codes 
(QECCs) C\ and C 2 @- In particular, they choose 
C\ to be the [[n, 1, d]] q code where the prime q > n, 
and 3d < n + 2. More precisely, C\ encodes each 
qary quantum register \ao) into n qary quantum 

registers T, q a ~l 2 ,...,a d _ 1= o <8>ILi k + a lVl + a 2 yf + 
■ ■ ■ + ad-iyf' 1 ) /q^ 1 ^ 2 where are distinct non- 
zero elements in F g . The distance of this code is 
d and hence it can correct up to S = I er- 
rors. 1 Furthermore, I denote the [[n, l,d]] q QECC 

Wo) ' — ► £2r,«,...,«»-d+i=o®<U \ao+am+a 2 yf + 
■■■ + a n _ d+1 yr d+1 )/q {n ~ d+1)/2 by C x . In addi- 
tion, C 2 is chosen to be the [[4d'+l, 1, 2d'+l]] 9 ran- 
dom polynomial QECC |ljj whose fidelity of quan- 
tum computation using imperfect devices is greater 
than 1— e. (Since the random polynomial QECC C 2 
has a fault-tolerant implementation |i~5| ], thus, by 
concatenate coding, the threshold theorem in fault- 
tolerant quantum computation guarantees the ex- 
istence of such a QECC C 2 [flfQ-) As we shall 
see later on, the choice of the value of the distance 
d only affect the number of cheaters that can be 
tolerated by the scheme. 



2. Each player sets up a quantum channel with a cen- 
tral routing station. He/She may establish relay 
stations along each quantum channel in such a way 
that the noise level in each quantum channel seg- 
ment is small enough to perform entanglement pu- 
rification. (See Refs. @-fo| for details.) Further- 
more, each player also has access to a classical pub- 
lic unjammable channel for broadcasting. 

3. The players, central routing channel and relay sta- 
tions separately prepare a few copies of the state 
|$) = Ylk=o \kfy/-\/Q- They encode each copy 
using QECC C 2 , and share these encoded state 
|$) between the two ends of each quantum com- 
munication channel segment. Then, they per- 
form fault-tolerant entanglement purification pro- 
cedure as discussed in Refs. [^9|,|0| on these shared 
states. Afterwards, these possibly impure encoded 
states |$) shared between each channel segment 
from one player to another are connected together 
by quantum teleportation f§,[l8 21 1. Finally, each 



pair of players test the purity of their shared en- 
coded states |$) by a variation of the fault-tolerant 
random hashing technique described in Rcf. [Q. 
(Readers may refer to Appendices |a| and for de- 
tail description of the teleportation and the random 
hashing procedures, respectively.) They proceed to 
step H only if the random hashing test is passed for 
each pair of players. And in this case, each pair of 
players will share a number of almost perfect en- 
coded logical state |$). The entanglement shared 
between each pair of players in this way can then be 
used to securely transport states among themselves 
in step|^. Clearly, shared |$) is not the only possi- 
ble way to establish such an entanglement. In fact, 
one may replace the state |<E>) in this scheme by an 
EPR pair. Nevertheless, the scheme will become 
slightly complicated after such an replacement for 
one has to teleport gary instead of binary quantum 
registers in step [|. 

4. Let Xi be the private classical input of player i, 
then he/she prepares s — O(logi) copies of the 
state \xi). He/She also prepares a number of preset 
quantum registers |0) that will be used later on in 
the reversible quantum computation. Player i first 
encodes each of his/her prepared quantum registers 
using the QECC C\. Then, player i further encodes 
the jth quantum register in each of his/her encoded 
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state using C2 and teleports the resultant quantum 
registers to player j using their previously shared 
encoded state |$) in step || for all j 7^ i. He/She 
also encodes each of the ith quantum register by C2 
and keeps those quantum registers himself/herself. 
All players keep their received quantum registers 
private as well. And in what follows, I use the sub- 
script "L" below the state ket to denote a state that 
is encoded and distributed among the n players us- 
ing this procedure. In addition, the players also 
prepare a number of preset quantum registers |0), 
encode it first by C\ and then by C2. The play- 
ers then distribute these encoded preset registers 
among themselves in a similar way as in sharing 
their private inputs. And I use the subscript "L" 
below the state ket to denote such an encoded and 
distributed state. States |0)l and |0)£ shall be used 
as preset registers during the reversible computa- 
tion in step |(| 

5. In order to make sure that everyone follows step |] 
honestly, a player j (the verifier) may challenge a 
randomly chosen player i (the prover) using the 
fault-tolerant random parity check method similar 
to that used in Ref. 

More precisely, player j publicly announces a 
sequence {ck}% =1 of integers in ¥ q such that 
J2k=i Ck = 0- Then, every player is required to help 
player j to compute the random parity X)fc=i c k%ik 
by distributed fault-tolerant quantum computation 
(FTQC), where Xik denotes the state of the fcth 
copy of the private input of player i. Clearly, the 
choice of QECCs C% and C2 enable us to perform 
the above quantum computation in a fault-tolerant 



way without any measurement and ancilla |15|. Be- 
sides, the method of distributing the private input 
state in step [I] allows the players to perform the 
above FTQC in a distributed manner without any 
communications between them. 

To verify if the result computed (which I call it the 
random parity) is equal to zero, all players measure 
and publicly announce their measurement outcome 
along their commonly agreed computational basis 
on their corresponding C2 encoded quantum reg- 
isters that encode the random parity. Because C\ 
is a [[n, 1, d]] q random polynomial QECC, the mea- 
surement results of the players correspond to the 
classical [n, d, n— d+l] q Reed-Solomon encoding of 
the random parity. Naturally, they continue only if 
the random parity inferred from this classical Reed- 
Solomon encoding is zero. This verification process 
has to repeat 0(log ^) times for each proving player 
i so as to guarantee security. 

In addition, all players use a similar distributed 
fault-tolerant random parity checking technique to 



verify the purity of the distributed encoded pre- 
set quantum registers |0)l and |0)j among them- 
selves. They proceed to step ^ only when all the 
measurement results are consistent with the as- 
sumption that there is no cheater or eavesdropper 
around. Thus, in order to establish the required se- 
curity, O(logi) private input states prepared and 
distributed in step |^ are wasted. (An alternative 
way to perform the random parity check measure- 
ment is to ask the players to teleport their shares 
of the encoded random parity quantum registers to 
the verifier. Then, the verifier makes the appropri- 
ate measurement and publicly announces the out- 
come.) 

6. To compute the commonly agreed classical func- 
tion z — f(xi, X2, ■ ■ ■ , x n ), the n players perform 
distributed FTQC on their received quantum par- 
ticles. The players keep every quantum state except 
the final result private. 

To be precise, they first decompose the classical 
function / into a commonly agreed composition of 
elementary operators. Each elementary operator 
is in the form of (i) register- wise addition \x) ^— > 
|x + a), (ii) register- wise multiplication \x) 1— > \ax), 

(iii) generalized C-NOT \x,y) i— > \x,x + y) and 

(iv) generalized Toffoli gate \x, y, z) 1— » \x, y, z+xy) 7 
for some fixed a 7^ P2fl . 

At this point, each player should have r = 
O(log-) < s remaining quantum registers dis- 
tributed among themselves. Moreover, all the re- 
maining distributed quantum states of an honest 
player, upon quantum error correction, should be 
identical. Clearly, the choice of the random polyno- 
mial QECCs C\ and C2 together with the private 
secure distribution method in step || allow the play- 
ers to perform the first three types of elementary 
operators without any measurement or communi- 
cation between the players |15|. Thus, they can 
perform the fault-tolerant operation on the r re- 
maining distributed quantum registers one by one. 
And in this way, they end up with having r identi- 
cal resultant states if they are honest. 

To perform the fourth type of elementary oper- 
ator, namely, a generalized Toffoli gate on the r 
remaining distributed encoded states, they do the 
following. First, the players collectively synthesize 
the distributed state J2o[~b=o l a > &j a^i./q 3 ^ 2 among 
themselves using their verified distributed states 
|0)l by a procedure based on that in Ref. (T^j] as 
follows: 
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^^2 E ^l^.^lL (1C) 
a,fc,c,fc— 

E ^ {ab - c+x) \a,b,c)L®\x) L , (Id) 

where u g is a primitive gth root of unity. 

To arrive at Eq. (^) in a fault-tolerant man- 
ner, each player i simply has to perform the 
following local Fourier transformation \a) i — ► 
12t=o UJ q"' iab \b} I \/q on his/her corresponding quan- 
tum registers, where rrii € ¥ q is a unique solu- 
tion for the system of equations X)"=i Tn% = \ and 

En V^n 2 V^™ n— 1 

0. I denote this fault-tolerant transformation by 
In fact, Appendix |C| shows that 3 r |0)L = J2t=o 
and 5"|0)l = X)fc=o l^) L - And then, Aharonov 



and Ben-Or tell us how to arrive at Eqs. (lb) by 
fault-tolerant controlled-phase-shift gate without 
any communication between the players []l5| . More 
precisely, each player i applies \a,b) i — > w^^a, 6) 
to their share of the third and fourth quantum reg- 
isters where pi £ ¥ q satisfies ^ZILiPi = — 1 an d 

En v^n 2 v^n w ^ 

^ i=iPiyi = Z, l= iftyi = ••• =tJZi=iPiyi = 0- 

Subsequently, arriving at Eq. (nq) from Eq. ( p/q ) 
requires the fault-tolerant controlled- controlled- 
phase-shift gate \a, b, c)l i— > w^ bc |a, 6, c)l- And 
for the random polynomial code C\ with 3d < 
n + 2, this operation is achieved when each player 
i applies the controlled-controlled-phase-shift gate 



Tiabc 



a, b, c) to his/her corresponding 
share of the encoded first, second and third quan- 
tum registers, where € ¥ q is the solution (not 
necessarily unique unless 3c? + 1 = n) of the sys- 
tem of equations J27=i r i = !> an( i Xh=i = 
EiLiny? = ••• = Er=i r iyf d = °- Finally, 
to arrive at Eq. ( |ld| ) from Eq. (|T^) in a fault- 
tolerant way, the players simply apply the same 
local Fourier transform J that creates Eq. ([la]) to 
their share of the fourth quantum register. (Again, 
the proof can be found in Appendix |c[) In sum- 
mary, the players can evolve their share of quantum 
states to Eq. (Id) in a fault-tolerant manner with- 
out any measurement, communications or the use 
of ancillary particles. 

After the players have evolved their quantum par- 
ticles to the distributed state in Eq. (|lc|), they 
measure their share of the fourth encoded quan- 
tum register along the commonly agreed compu- 
tational basis and then publicly announce their 
measurement results. In this way, they end up 



having a classical [n, n — d + 1, d] q Reed-Solomon 
code and after error correction, they can infer 
the measurement outcome of the fourth encoded 
quantum register along the commonly agreed com- 
putational basis. Suppose the inferred measure- 
ment result is A, then the state ket of the re- 
maining three distributed encoded quantum reg- 
isters becomes Y^b,ck=a uj k q {ah ~ c+X) \a,b, c) L /<7 2 = 

E'~t=o 1°' b ' ab+ X) h /q. So, by applying a fault- 
tolerant generalized C-NOT gate depending on the 
measurement result A, they eventually synthesize 
the state J2Tb=o l a ' ^> a b)h/q collectively. 
At this point, using their newly synthesized dis- 
tributed encoded state J2Vb=o \ a ' ^ o-^l/q as an- 
cilla, the n players implement the generalized Tof- 
foli gate in a fault-tolerant manner using a varia- 
tion of the Gottesman's method in Ref. ^3j. (See 
also Ref. [jlTj for details.) More precisely, they per- 
form the following transformation using a number 
of fault-tolerant generalized C-NOT gates and a 
fault-tolerant # gate 
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\a, b,z + ab)i 
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Now, the n players measure their shares of the first 
three encoded registers along the commonly agreed 
computational basis. Regarding as classical Reed- 
Solomon codes, their publicly announced measure- 
ment outcomes can then be used to infer the (quan- 
tum) measurement results of the first three regis- 
ters along the commonly agreed computational ba- 
sis. Suppose the inferred measurement results of 
the first three registers are Ai, A2 and A3, respec- 
tively. Then, by adding Ai to the fourth register, 
A2 to the fifth register, and \iy+\2X— A1A2 to the 
sixth register, they get the state u q 3Z \x, y, z + xy}^. 
Finally, they obtain the state \x, y, z + xy)^, which 
is the result of a generalized Toffoli operation, by 
applying a suitable phase-shift gate in the sixth 
register and then followed by another controlled- 
controlled-phase-shift operator to the first and sec- 
ond registers. (As I have discussed previously, play- 
ers may perform these operations without any com- 
munication because of the choice of the QECC C\ 
and C2 together with the fact that Ai, A2 and A3 
are classical data.) 

To ensure accuracy, they perform the above pro- 
cess r times to the r supposedly identical signal 
states. In this way, they end up with implement- 
ing r identical generalized Toffoli operators if all 
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players are honest. (At this point, readers may 
wonder why I do not check the purity of ancil- 
lary state J2Tl=o l a ' ^' a b)L/q directly. The rea- 
son is that random parity checking does not work 
for this ancillary state because the state of the 
untested particles will be altered by the test it- 
self. Readers may also ask why I do not apply the 
fault-tolerant Fourier transformation gate to obtain 
J2k=o f rom |0)l . The reason is that all known 
fault-tolerant Fourier transformation gate for the 
[[n, 1, d]] q QECC C\ with 3d < n+2 to date requires 
collective measurements on the encoded quantum 
registers and hence is liable to error in the pres- 
ence of cheaters.) (An alternative method to per- 
form the required measurement is to assign once 
and for all a randomly chosen player for each of 
the r — 0(log i) supposedly identical signal states. 
Whenever it comes to a measurement, players tele- 
port their states to be measured to the correspond- 
ing assigned player who then makes the necessary 
measurement and publicly announces the measure- 
ment outcome.) 

7. In order to make sure that the players indeed follow 
the distributed FTQC in step ^ honestly, they carry 
out the random parity verification test O(logi) 
times to their final state using the same method 
as described in step ||. Finally, to obtain the value 
of z — f(xi,X2,---,x n ), the n players separately 
measure their share of quantum registers that en- 
codes the value of z along the commonly agreed 
computational basis, and then publicly announce 
their measurement outcomes. Then, they infer the 
value of z using standard classical Reed-Solomon 
code error correction. 



III. THE SECURITY OF THE QUANTUM 
SCHEME 

Now, I claim that the above scheme correctly computes 
the classical function z = ,f{x\, X2, ■ ■ ■ , x n ) with a proba- 
bility 1 — ie for some fixed constant I > 1, provided that 
no more than 5 players cheat. Besides, those 8 = [^p-J 
cheaters know nothing about the private inputs of every 
honest player and they cannot alter the final outcome z. 
These claims are true even if all cheaters cooperate and 
have unlimited computational power. 

To prove the above claims, one observes that there are 
four possible ways for the above scheme to go wrong, 
namely, the presence of noises, bad instruments, eaves- 
droppers and cheating players. Remember that a cheater 
may deliberately announce wrong measurement results 
and thereby misleading others. Besides, one has to make 
the most pessimistic assumption that all cheaters and 
eavesdroppers cooperate and control everything except 



the instruments in the laboratories of the honest play- 
ers. The cheaters may even have unlimited computa- 
tional power. Using the argument in Ref. [Q, I first show 
that we can safely neglect the effect of noises and bad 
instruments. Since all steps in the above scheme are per- 
formed in a fault-tolerant manner, the theory of FTQC 
tells us that with probability 1 — e we may regard the ef- 
fect of noise and bad instruments simply affect the error 
syndromes but not the quantum information encoded in 
the states [p~5| [Tt|] . Besides, the theory of QECC tells us 
that learning error syndromes give no information about 
the quantum information encoded in the state p4| , f25| |. 
Consequently, by restricting myself to the evolution of 
quantum information contained in the encoded quantum 
registers, I may analyze the behavior of the above scheme 
in a noiseless environment from now on. 

Then, it remains for me to show that no more than 5 
cheaters can obtain partial information on the private in- 
puts of some honest players. Besides, these cheaters can- 
not alter the output of the classical function /. In order 
to do so, one has to understand the function of each step 
in the scheme first. Steps || and || are direct generaliza- 
tion of the entanglement-based quantum key distribution 
protocol proposed by Lo and Chau in Ref. . The aim of 
these two steps is to share almost perfect encoded state 
|$) between any two pairs of players so that they can 
teleport quantum states in a fault-tolerant manner from 
one to another at a later time in step ^. Step make sure 
that every player follows step ^ to distribute his/her pri- 
vate input as well as the preset quantum registers using 
the QECCs C\ and C\. The actual computation is car- 
ried out in step [| And finally, they verify and measure 
their computational result in step |?]. 

A. Private Inputs Of An Honest Player Is Secure Up 
To Step | Of The Quantum Scheme 

I have two cases to consider in order to show that 
the 5 = L^T^J cheaters obtain no information on the 
private inputs of the honest players up to the random 
parity verification in step |^ of the quantum scheme. 
The first case is when the proving player i in step ^ 
is honest. In this case, the encoded state |$) shar- 
ing scheme in step ^ between the proving player i and 
all other honest players is a straight-forward generaliza- 
tion of the quantum key distribution protocol of Lo and 
Chau in Ref. Q. More importantly, as stated in Ap- 
pendix [b|, the random parity test in step ^| maps the 
basis B = {J2t=o LU q b \ k > k + a )/V9K&eF, to basis B up 
to a global phase. Therefore, the proof of Lo and Chau in 
Ref. Q applies. In particular, they have already proved 
that the fidelity of every encoded state |$) shared be- 
tween any two honest players is at least 1 — e even in 
the presence of eavesdroppers and cheaters [Q. Then in 
steps and ||, eavesdroppers and cheaters can only access 
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to the public classical communications between the hon- 
est players. Fortunately, these classical messages contain 
no information about the teleported quantum state Q . 
Hence, no one apart from the sender and the receiver 
knows the teleported state. Thus, these S cheaters have 
access to at most their share of 6 quantum registers of 
the distributed encoded state \xi)h- Since the C\ is a 
[[n, 1, d]] q QECC, the knowledge of the S quantum regis- 
ters in the hands of the cheaters contains no information 
on the private input Xi at all. 

The second case is that the proving player i is dis- 
honest. Clearly, the job of the dishonest player i is to 
somehow mislead the other players into believing that 
he/she is honest. More precisely, player i tries to de- 
vise a method (possibly with the help of the other 6—1 
cheaters in the system) so as to pass the verification 
test in step || with a probability greater than 1 — £e for 
some fixed positive constant £. Note that measuring ev- 
ery quantum register of an arbitrary quantum codeword 
of the [[n, l,d\) q random polynomial QECC C\ along 
the commonly agreed computational basis gives a clas- 
sical [n,d, n — d+l] q Reed-Solomon codeword. Besides, 
if the Ci encoded quantum state contains S erro- 
neous quantum registers, then after measuring along the 
computational basis, we end up getting a classical Reed- 
Solomon codeword with at most <5 erroneous registers. 
Since S < n/4 p5| , p6| ], therefore if an error can be han- 
dled by the QECC C\ , the corresponding error after mea- 
surement can be handled by the corresponding classical 
Reed-Solomon code. Moreover, the coarse-grained mea- 
surement, that is, process of measuring each quantum 
register along the computational basis together with the 
inference of quantum state from the Reed-Solomon code, 
can be regarded as a projective measurement along the 
C\ encoded computational basis on quantum state. And 
now in the verification step pi all the n—8 honest players 
indeed measure the quantum states along the commonly 
agreed computational basis. Besides, the random parity 
check does not alter the state of the un-measured quan- 
tum particles. Therefore, the coarse-grained measure- 
ments performed by the honest players commute with 
each other; and hence each coarse-grained measurement 
result will in no way change the outcome of all subse- 
quent measurements [Q. Thus, theoretically, the hon- 
est players may push their coarse-grained measurement 
forward to the time when the quantum states are just 
prepared. Consequently, the probability that cheating 
player i passes the quantum verification test in step || can- 
not exceed the probability of passing a classical random 
parity verification test in which player i is only allowed to 
prepare only a classical mixture of states Q| . Clearly, the 
probability that player i cheats and yet he/she passes the 
classical verification test is no greater than l/q r where r 
is the number of independent rounds of tests performed. 
Consequently, by repeating the quantum random parity 
test logq i times, the probability that player i cheats and 



yet he/she passes the quantum verification test in step || 
is at most e. And once the quantum verification test is 
passed, the fidelity of the remaining untested quantum 
states as being a valid input \xi) is equal to 1 — £e for 
some constant £ independent of n and e. Thus, the en- 
tropy of each of the untested quantum states is equal to 
\ogq + £e. Hence, the cheaters have exponentially small 
amount information on the private inputs of every honest 
player jij. And using a similar argument, I know that the 
fidelity of the distributed preset quantum registers |0)l 
and |0)l is also equal to 1— te. 

Therefore, I conclude that if there are at most 5 
cheaters around and that they choose to perform mea- 
surements individually, then the probability that these 
cheaters can obtain partial information on the private 
inputs of the honest players is bounded from above by £e 
for some fixed constant £ > up to step ^| of the quantum 
scheme. 

In the event that the players choose to teleport their 
random parity state to the verifier who then make the 
necessary measurement, the proof of security up to step || 
is similar. Note that if the verifier is honest, then the 
above proof applies. On the other hand, if the verifier 
cheats, two possible things may happen. First, the ver- 
ifier may wrongly announce an inconsistent result. But 
leads to an immediate abortion of the scheme. Hence, 
he/she cannot obtain any extra information on the pri- 
vate input of an honest player. Second, the verifier may 
turn a blind eye to a measurement result that is inconsis- 
tent with the no cheater/eavesdropper assumption. Since 
8/n < 1/6, a non-zero fraction of the verifiers are hon- 
est. So, after 0(log -) rounds of random parity tests, the 
probability that the private input of an honest players 
leaks out is less than £e for some fixed constant £ > up 
to step H of the quantum scheme. 

Thus, I conclude that if there are at most S cheaters 
around and that the players choose to teleport the parti- 
cles encoding the random parities to the verifiers before 
making measurement, then the probability that cheaters 
obtain partial information on the private input of an hon- 
est player is less than £e for some fixed constant £ > 0. 

B. Cheater Cannot Alter The Computation Result 

Now, I proceed to show that these 5 cheaters cannot 
alter the outcome of the function evaluation / with a 
probability greater than e in steps |6| and ^ of the quan- 
tum scheme. Since one may regard any illegal quantum 
manipulation by the S cheaters as decoherence acting on 
up to 5 quantum registers in the QECC C\ , the theory of 
FTQC implies that any quantum manipulation by these 
cheaters cannot alter the final outcome of the function 
/. Nevertheless, the theory of FTQC assumes that all 
measurements of the encoded quantum state and manip- 
ulation of classical data are error free. So, it remains for 



G 



me to show that measurement and classical data manip- 
ulation by cheaters also cannot alter the outcome of the 
function /. 

Because of the choice of C\ and C2, there are two possi- 
ble operations in the scheme that requires measurement 
or classical message communication, namely, the verifi- 
cation test and the generalized Toffoli gate. As I have 
discussed previously, incorrect measurement or classical 
message broadcasting in a verification test results in the 
immediate abortion of the scheme. Hence, it cannot alter 
the final output of the function /. So, it remains for me to 
consider to case of a generalized Toffoli gate. Recall that 
the generalized Toffoli gate is collectively synthesized by 
the n players from the verified distributed encoded state 
|0)l in step |[ Fortunately, if the players choose to per- 
form their measurements individually, then all measure- 
ment results in step || are in either the [n, d, n— d-\-l] q 
or the [n, n—d, d] q Reed-Solomon code forms. Hence, the 
6 cheaters cannot alter the measurement outcome and 
hence the value of z. 

On the other hand, if they choose to teleport their 
states to their corresponding randomly assigned player, 
then in order to pass the final random parity test in step 
with a probability greater than e, the cheaters must ar- 
range the state of the final outcome z = f(xi, X2, ■ ■ ■ , x n ) 
for each of the r = 0(log -) copies of quantum particles 
to be almost identical. This is possible only when all the 
r randomly assigned players who are responsible for mea- 
surement cheat. Since the probability that all randomly 
assigned players cheat is equal to = 0(e). Conse- 

quently, the probability that the 6 cheaters can alter the 
final value of z without being detected is equal to ie for 
some fixed positive constant t. 



C. Cheater Cannot Obtain Partial Information 
During Distributed Computing Of The Function / 

Although cheaters cannot alter the final outcome of 
the computation with a probability greater than ie for 
some fixed positive constant £, readers may ask if these 
cheaters can obtain partial information on the private in- 
put of an honest player in steps || and 0. Now, I show that 
this is not possible. Using the same argument as in Sub- 
together with the choice of [[n, 1, d]] q codes 



IIIB 



section 

Ci and C2, the only possible place for information leak- 
age is the measurement performed by the players during 
the implementation of a generalized Toffoli gate. And as 
I have discussed in Subsection 



IIIB 



if the players choose 
to measure individually, then the 5 cheaters cannot al- 
ter the joint measurement result that is required during 
the collective and distributive synthesis of the ancillary 
state J2Tb=o 1°' ob)i,/q as well as during the implemen- 
tation of the generalized Toffoli gate. Moreover, theory 
of QECC tells us that the value of these measurements 
contains no information on the distributed encoded state 



\x,y, Recall that the S cheaters have access only to 
their shares of the entangled quantum state together with 
the classical information on the measurement results on 
the fault-tolerant generalized Toffoli gate. Since C% is a 
[[n, l,d]] q QECC, these information alone is not enough 
for the cheaters to obtain any information on \x, y, z)l 
and hence the private inputs of an honest player. 

On the other hand, if the players choose to teleport 
their corresponding states to the randomly assigned play- 
ers before making measurements, then we cannot control 
the action of a cheating assigned player. Nonetheless, by 
looking into the synthesis scheme of the ancillary state 
b=o l a ' k> a b)h used in step ^, the cheating assigned 
player can only alter the third encoded quantum regis- 
ter of this ancillary state. In other words, the cheating 
assigned player can only, after error correction, alter the 
state of the last quantum register in Eq. (||). So right 
after all players teleported their corresponding quantum 
registers to the cheating assigned player, the S cheaters 
control the first three encoded quantum registers together 
with the shares of distributed encoded fourth, fifth and 
sixth registers. Consequently, the reduced density ma- 
trix of the quantum registers controlled by the cheating 
assigned players is independent of x, y and z. Hence, it 
is impossible for the 5 cheaters to obtain partial informa- 
tion of the private input of an honest player. 

In summary, using the results in Subsections |III A| - 



III C , I conclude that the quantum secure multi-party 
computation scheme in Section || is secure provided that 
no more than S players cheat. Moreover, the security is 
unconditional for it does not rely on any computational 
assumption. 

And in the alternative scheme that the players teleport 
their quantum states to some once and for all randomly 
chosen players and let these assigned players to make the 
measurement, the proof that the 8 cheaters cannot alter 
the final outcome z and that they cannot obtain extra 
information on the private input of an honest player is 
similar. 



IV. THE COMPLEXITY AND SECURITY 
TRADEOFF BETWEEN THE QUANTUM AND 
CLASSICAL SCHEMES 



Clearly, the above quantum secure multi-party compu- 
tation scheme requires 0{n) quantum channels, a public 
classical unjamable broadcasting channel, 0(n 2 /clogi) 
bits of quantum and classical communications in order 
to distribute and compute the classical function /, where 
k is the length of each private input. Distributed FTQC 
of register-wise addition, register-wise multiplication and 
generalized C-NOT gate do not require any communica- 
tion. And distributed FTQC of a generalized Toffoli gate 
requires 0(nfclog -) bits of classical messages broadcast, 
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or equivalently, 0(n 2 fclogi) bits of classical communi- 
cations between the players if they choose to perform 
their measurement individually. Distributed FTQC of a 
generalized Toffoli gate requires O(nfclogi) bits of clas- 
sical communications should they choose to teleport the 
states and measure them collectively by the randomly 
assigned players. Moreover, if classically non-distributed 
computing / requires T timesteps and S space, then the 
distributed quantum computing scheme in step |^ above 
requires 0(nT 1+e ) timesteps and O(roSlogT) space for 
any e > pjj ]. Hence, the amount of communica- 
tion required to distributed FTQC of a classical func- 
tion / is bounded from above by 0(n 2 kT 1+e log |) should 
they use the alternative teleportation plus measurement 
method. In contrast, the best classical secure multi-party 
computation scheme known to date requires 0(n 2 ) com- 
munication channels and 0(n 3 kT) bits of communica- 
tions. Thus, the quantum secure multi-party computa- 
tion scheme requires fewer channels and less computation 
or communications than the best known classical algo- 
rithm to date. 

Nevertheless, the improvement of the quantum scheme 
over the classical one comes with a price tag. Recall that 
the maximum number of cheaters tolerated by this quan- 
tum scheme is related to the maximum possible distance 
d of a QECC that maps one gary quantum register to n 
qaiy quantum registers. Since I am using the [[n, 1,g?]]<j 
QECC with 3d < n + 2, my scheme can tolerate only 
asymptotically up to strictly less than 1/6 cheaters. On 
the other hand, the best known classical scheme is un- 
conditionally secure provided that strictly greater than 
one half of the players are honest. In other words, the 
quantum scheme reported here trades security for com- 
munication complexity. 

V. FULL-BLOWN QUANTUM CODE IS 
REQUIRED IN THE QUANTUM SCHEME 

At this point, readers may question if a full-blown 
QECC is required in this quantum scheme because phase 
errors do not affect the final outcome z. Rather surpris- 
ingly, the answer is yes. In fact, I shall show that if C 
is a linear map sending one quantum register to n quan- 
tum registers, then any two of the three conditions below 
imply the third one: 

1. C is a QECC correcting up to 6 spin flip errors. 

2. C is a QECC correcting up to 6 phase shift errors. 

3. The partial trace over any n — 5 registers gives no 
information on the initial unencoded wavefunction. 

The theory of QECC implies that (1) and (2) (3). 
And now, I show that (1) and (3) =>• (2). The re- 
maining case that (2) and (3) (1) can be proven 



in a similar way. I divide the n players into two 
groups. Groups A and B have n — 8 and 5 players, re- 
spectively. By Schmidt polar decomposition, the en- 
coded normalized state J^ fc ak\k)\^ can be written as 
P = Eij.fc,*,' y/ K{k)\j{k')\ai (fc)) ® \bi (fc)) ® 
(bj(k')\, where |<Xj(fe)) and \bi(k)) are eigenvectors of the 
reduced density matrices as seen by groups A and B, 
respectively. Hence, taking partial trace over group A, 
condition (3) tells us that 

Tr A (p)= a fc S fe '(a i (A;')|a i (A ; ))|6 i (fc))<6 j (fc , )| (3) 

is independent of a^. This is possible only if = \bi) 

and y/ \i(k)\j(k')(a,j(k')\a,i(k)) are independent of k for 
all i,j. Condition (1) implies that 

xJxmXjik'KklS^bj) (a z (k)\S'\ aj (k')) = 4,fc'A s ,s', 

id 

(4) 

where S and S' are spin flip operators such that each 
acts on no more than S quantum registers, and As,s> is 
independent of k and k' [ p4|]2"5f| . Since is independent 
of k, Eq. (|J) holds if one replaces S by a general quantum 
error operator G which acts on no more than S quantum 
registers. Since groups A and B are arbitrarily chosen, 
Eq. (jj) is valid if one replaces S' by G. Once again, since 
\bi) is independent of k, I conclude that Eq. (0) is true 
even if one replaces the two spin flip operators S and S' 
by general quantum error operators G and G' which act 
on no more than 6 quantum registers. Consequently, C is 
a QECC correcting up to S errors p4| , p5| ]. In particular, 
condition (2) is valid. 

VI. OUTLOOK 

In summary, I have reported and proved the secu- 
rity of a quantum secure multi-party scheme to compute 
classical functions. The scheme makes essential use of 
fault-tolerant quantum computation and a specially de- 
signed quantum error correcting code. While the quan- 
tum scheme tolerates only about one third the number of 
cheaters as the best known classical scheme to date, it re- 
quires asymptotically smaller amount of communication 
between the players. 

This scheme also tells us that higher dimensional CSS- 
like quantum error correcting codes with fault-tolerant 
implementation have far-reaching applications outside 
the context of quantum mechanical computation. While 
quantum code is not the only possible way to protect 
quantum information during computation pSfl , cheating 
players may do all the nasty things that only full-blown 
quantum code can handle. Hence, quantum code is an 
essential ingredient in this secure multi-party computa- 
tion scheme. Moreover, no binary [[n, l,e?]] 2 CSS code 
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with d > n/7 is known to date. Thus, higher dimen- 
sional quantum code p9| appears to be an essential in- 
gredient in making my scheme to tolerate strictly less 
than one sixth cheating players. Since fault-tolerant com- 
putation of a general non-CSS-like code requires collec- 
tive measurements p3], it seems likely that C\ should 
be a CSS-like code 130]. Besides, by replacing the ran- 
dom polynomial codes G\ and C2 by the correspond- 
ing continuous quantum codes |n| of the form |<zo) 1 — > 

J dai da 2 - ■ ■ da d -i (g>™ =1 \a +a 1 y t H ha d _ij/f _1 ), my 

scheme also works for continuous quantum variables. 

Rains showed that no binary [[n, 1,2<5 + 1]]2 quantum 
code exists for i5 > n+1 |32| and a simple modification of 
the proofs of the optimality of the five quantum register 
code in Refs. and [|6| shows that [[n, l,d]] q codes 
must satisfy d/n < 1/4. Thus, it may be possible to 
design a QECC based secure multi-parity computation 
scheme that tolerates up to a quarter cheaters. It is in- 
structive to find such scheme out, if any. 

It is also natural to ask if it is possible to extend this 
scheme to perform multi-party computation of a quan- 
tum function. That is, given a commonly agreed unitary 
operator U as well as n private quantum states \xi), is it 
possible to compute U ®i \xi)l Clearly, such a scheme ex- 
ists if all the players are honest. The players may simply 
modify the scheme in this Paper a little bit by dropping 
out all the verification tests that check the identity of the 
private inputs, final output, and the correct implementa- 
tion of generalized Toffoli gates. Nevertheless, there is no 
obvious way to use the random parity test to check the 
validity of a general quantum state. Moreover, a player 
may cheat by using the delay measurement tactics as in 
the proof of the impossibility of quantum bit commit- 
ment [0. It is, therefore, of great interest to know if it is 
possible to achieve quantum multi-party computation of 
a quantum function in the presence of cheaters. 



APPENDIX A: PROCEDURE OF TELEPORTING 
A QARY STATE 



APPENDIX B: PROCEDURE OF THE RANDOM 
PARITY/HASHING TEST 



Let us consider the basis B = {J2l=o ^qlfc, k + 
a) / y/q} a ,be¥ q - Clearly, one may transform from one ba- 
sis state ket to another by local unitary operations alone. 
And I denote the set of all such transformations by T. 
Furthermore, the register-wise generalized C-NOT oper- 
ation maps the basis states B®B = {\A}(^\B} : \A},\B) e 
B} to B®B up to a global phase. Therefore, the random 
parity/hashing test goes as follows: the two parties co- 
operate and randomly apply a transform fi € T for each 
share of their entangled quantum state they obtain in 
step ||. Then they apply the register-wise generalized C- 
NOT operations to a number of randomly selected pairs 
of their resultant entangled quantum states. Finally, they 
measure the outcome of their final target quantum regis- 
ter along the computational basis. They continue only if 
their measurement result is consistent with the hypoth- 
esis that their share of quantum particles are all in the 
state |$) . And if they continue, they apply suitable trans- 
formations gi £ T on their remaining shares of quantum 
states so as to bring them back to the state |<i>). Clearly, 
this random parity checking procedure is a direct gener- 
alization of that used in Ref. 101. 



APPENDIX C: THE ACTION OF 5 



Here I show that $\0)l = Sfe=o The proof of 



= Sfe=o l^) L 18 similar. Recall that J denotes the 
collective action of \a, b) 1 — ► u™ iab \a, b) by the ith player 
on their share of the encoded quantum registers, where 
uii G ¥ q satisfies the system of equations X)"=i m i — 1 



and J2i=l m iDi 

Thus, 

31ao)L 



En 2 
i=i m-iVi 



En n—1 n 

i= i miVi = 0. 



9 -i 

E 



to. 



ai,a2 S "M c td— ls^Os^lvs^n — 1=0 



The qary state quantum teleportation process goes 
as follows: The sender and the receiver first share the 
state l^) = ^21^1, \kk) / ^/q before the sender makes a 
joint measurement on the quantum state to be tele- 
ported and his/her share of the state |<I>) along the basis 

{J2l=o a + k) I \/q}a,be¥ q } where u q is a primitive 

gth root of unity. Then, the sender informs the receiver 
the measurement result. If the measurement outcome 
is Y^kJa UJ q k \ a i a + ty/i/q, then the receiver may recon- 
struct the quantum state by applying the unitary 
transformation |a;) 1— » uj b q x a \x 
the original state |$). 



a) to his/her share of 



(CI) 



Summing over a\ in Eq. ( |Cl[ ) gives 6„-i = 
0. And then summing over a 2 gives b n -2 = 0. 
And inductively, I conclude that Eq. (CI) becomes 



X/6 ,bi,. 



ao&o 



b n -dV, 



n — d\ 



Hence, by putting 00 = 0, I obtain : 5|0)l = J2t=o \^)ti 
which is our required result. 
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